Rate of Change of Frequency protection (ROCOF) in embedded storage and generation systems is what will kill the grid in a massive cascading failure.

ROCOF works well to keep things safe when only a small percentage of the grid demand is met by residential solar/powerwalls.

As soon as any significant proportion is residential solar (and thats already the case in some countries at some times of day) it acts as a cascading failure mechanism. As soon as any failure occurs, embedded generation sees a rapidly decreasing frequency, and rather that increase supply as traditional generators would be instructed to do to stabilise the grid, ROCOF protection requires they cease supply, making the issue far worse.

Within a fraction of a second, all embedded generation will disconnect, likely causing a near total blackout nationwide. Since system frequency that ROCOF measures is nationwide, failures won't be local to one geographic area.

I suspect these rules were made when people thought "consumers feeding energy back into the grid will never be more than 0.1% of the total - we'll always have enough spinning reserve to make up for that". Thats no longer the case, and unless the ROCOF limits are changed, and the majority of home solar/wind/powerwalls get a firmware update, expect a few very large blackouts.

I believe the solution to this problem is to ban ROCOF protection, and the related phase shift protection, and instead instruct a few big energy producers to transmit a gold code on top of the 50 Hz AC, bandlimited to 48-52Hz and power limited to 0.01% of the system power. Transmitting that code would be easy (cheap) for anyone who does DC/AC conversion with solid state electronics, so that's normally solar, wind farms, and long distance undersea transmission lines.

That gold code could be received and decoded anywhere on the network. If power islanding occurs, embedded generation will detect the loss of the gold code (since they are no longer connected to the generator injecting the code), and cease supply.

The only disadvantage is it introduces a security vulnerability by design: Anyone could transmit the gold code from their house, effectively disabling islanding protection in their neighbourhood. If power islanding were to occur, and if there was sufficient embedded generation to keep a stable power island, grid hardware could be destroyed through overvoltage, overheating, and circuits closing without frequency synchronisation. I think it's a worthwhile tradeoff though - damage will be localized and minimal, and a very unusual set of circumstances have to happen outside the attackers control for the attack to do damage.

Would a better long term fix be to upgrade grid hardware such that it can survive an inadvertent largish island?

Sometimes I think that a DC grid would be better. Issues like frequency synchronization wouldn’t exist.

A DC grid is likely better nowadays, but we're stuck with the historic AC grid. Most of the problems DC faced back in the war of currents have been solved by solid state technology.

To reconnect a powered island to the main grid, one needs to match frequency and phase with it.

There is currently no way to control the frequency or phase of the island.

When home renewable reaches a level of penetration where simultaneous loss would be in excess of spinning reserve any further embedded generation will be regulated in such a way as to not contribute to the problem. For instance by prohibiting exporting energy back to the system, and separating your house from the system if the frequency is falling quickly and your embedded generation is going to trip,in order to avoid the simultaneous load step due to the loss of all the embedded generation they could just disconnect it all. And in that case the embedded generation can continue to feed your house if it can operate an isolated network.

Isn't that the problem, that every home device will disconnect at roughly the same time? Leaving the atrophied generators to take up far too much slack.

Embedded generation will firstly displace local load before exporting any power back to the system. If the generation disconnects all you are left with is the load. If the frequency is falling and the ROCOF protection is going to cause the generation to trip, better to trip the load too otherwise the system just gets an increase in load.

> This is the mythical power-grid attack that people have been talking about since the concept of cyber-warfare was first dreamt up.

> It’s lucky we caught this now, before there are enough PowerWalls to seriously destabilise the grid if this attack were to occur.

I could be misunderstanding you, but do you seriously think that there are not more destabilizing attacks already available? From my reading the US power grid is already extremely vulnerable to attack.

Any power grid is very vulnerable to attack. Anyone who can cause a sudden surge in demand can take a power grid down.

If you can make power usage unexpectedly go up by more than ~10% within a minute, most power grids will fail.

I'm struggling to think of any companies who could do that though... Someone with malicious access to teslas servers couldn't even do that... For example, instruct all plugged in tesla cars to start charging all at once. Assume 400k tesla cars are plugged in overnight, with an average 10kw charge ability. That means tesla could add 4 gigawatts to the grid demand instantly, which is only 0.4% of the USA's ~1TW generation capacity.

I'd assume that the power grid is much more vulnerable than that at least some of the time in some regions. What if due to natural load variations the network already is close to the capacity reserve (which could be measured by tracking AC phase) when somebody mounts an overload attack?

What happens if the attacker generated a (e.g. periodic) pattern of load changes that excites control mechanisms at their resonant frequency?

Maybe the book "Blackout" [1] (which I haven't read myself) has more (fictional) details about what can go wrong.

[1] https://en.wikipedia.org/wiki/Blackout_(Elsberg_novel)

I highly recommend this book. It covers an entirely plausible scenario that could happen in real world, which is very interesting to read, but also - very scary to think about.

> If you can make power usage unexpectedly go up by more than ~10% within a minute, most power grids will fail.

Wouldn't that behave identically to a sudden loss of generation? The power grids I know of have schemes to deal with that, by automatically shedding large blocks of load in several stages.

Yes - but IMO, as soon as you've shed any significant amount of load, you've failed.

If just 10% of a nationwide grid is down, there's a good chance the phone network won't work, internet will be down, trains won't run, credit card/payment systems won't work, etc. All those things have primary and backup systems, but somewhere in the chain of dependencies there will be both a primary and backup that have been shed, and the system designers thought "these two data centers are 500 miles apart, so won't fail together".

Fortunately many critical infrastructure system and life safety systems have on-site backup energy generation capability, as long as diesel is available. At least in the USA, our internet, payment, and phone systems have all withstood significant medium-term regional power outages.

A major infrastructure cyberattack seems effective either as an opening salvo in a traditional military war or to multiply the chaos after a terrorist attack. Taking out the power grid would worsen traffic congestion and create increased demand on emergency services in the short term, and have major economic impacts and high visibility in the long term.

American here. Trains already don't run, no real net change.

Trains still very much run in the US.

I think the observation being made was that this is at the scary intersection of consumer IoT non-security and major infrastructure.

I wouldn't call it mythical. A government red team completely owned our power grid quite a while ago as a test.

Source?